From tentoilatentoi at yahoo.com Thu Oct 23 09:18:44 2014 From: tentoilatentoi at yahoo.com (N T H) Date: Thu, 23 Oct 2014 00:18:44 -0700 Subject: [pyOpenSSL-Users] sslv3 alert handshake failure Message-ID: <1414048724.51620.YahooMailNeo@web161806.mail.bf1.yahoo.com> Hi all, I was trying connect to Apple Push Notification Service with sandbox mode - use openssl-1.0.1e: OK, below is command: #openssl s_client -cert file_cert.pem -key file_key.pem -CAfile entrust_2048_ca.cer -host gateway.sandbox.push.apple.com -port 2195 - use pyOpenSSL-0.1.4: I got error 'sslv3 alert handshake failure', below my python code: context = OpenSSL.SSL.Context(OpenSSL.SSL.SSLv3_METHOD) context.load_verify_locations("entrust_2048_ca.cer") context.set_verify(OpenSSL.SSL.VERIFY_PEER, lambda conn, cert, errno, depth, preverify_ok: preverify_ok) passphrase = six.b(passphrase) with open(cert_file, 'rb') as fp: cert_string = fp.read() cert = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, cert_string) context.use_certificate(cert) with open(key_file, 'rb') as fp: key_string = fp.read() args = [OpenSSL.crypto.FILETYPE_PEM, key_string, passphrase] pk = OpenSSL.crypto.load_privatekey(*args) context.use_privatekey(pk) context.check_privatekey() socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_conn = OpenSSL.SSL.Connection(context, socket) ssl_conn.connect(("gateway.sandbox.push.apple.com", 2195)) ssl_conn.setblocking(1) ssl_conn.do_handshake() I'm using Python 2.7.3, Debian wheezy. Entrust_2048_ca.cer file was downloaded from https://www.entrust.net/downloads/binary/entrust_2048_ca.cer Can you help me? Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: From p.mayers at imperial.ac.uk Thu Oct 23 09:33:55 2014 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 23 Oct 2014 08:33:55 +0100 Subject: [pyOpenSSL-Users] sslv3 alert handshake failure In-Reply-To: <1414048724.51620.YahooMailNeo@web161806.mail.bf1.yahoo.com> References: <1414048724.51620.YahooMailNeo@web161806.mail.bf1.yahoo.com> Message-ID: Why did you force sslv3? In case you haven't heard, it's recently had security problems and many places have turned it off. Use the highest tlsv.. method you can, not the lowest. -- Sent from my mobile device, please excuse brevity and typos -------------- next part -------------- An HTML attachment was scrubbed... URL: From info at egenix.com Fri Oct 24 10:08:18 2014 From: info at egenix.com (eGenix Team: M.-A. Lemburg) Date: Fri, 24 Oct 2014 10:08:18 +0200 Subject: [pyOpenSSL-Users] ANN: eGenix pyOpenSSL Distribution 0.13.5 Message-ID: <544A08F2.6090701@egenix.com> ________________________________________________________________________ ANNOUNCING eGenix.com pyOpenSSL Distribution Version 0.13.5 An easy-to-install and easy-to-use distribution of the pyOpenSSL Python interface for OpenSSL - available for Windows, Mac OS X and Unix platforms This announcement is also available on our web-site for online reading: http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.13.5.html ________________________________________________________________________ INTRODUCTION The eGenix.com pyOpenSSL Distribution includes everything you need to get started with SSL in Python. It comes with an easy-to-use installer that includes the most recent OpenSSL library versions in pre-compiled form, making your application independent of OS provided OpenSSL libraries: http://www.egenix.com/products/python/pyOpenSSL/ pyOpenSSL is an open-source Python add-on that allows writing SSL/TLS- aware network applications as well as certificate management tools: https://launchpad.net/pyopenssl/ OpenSSL is an open-source implementation of the SSL/TLS protocol: http://www.openssl.org/ ________________________________________________________________________ NEWS This new release of the eGenix.com pyOpenSSL Distribution updates the included OpenSSL version to the latest OpenSSL 1.0.1h version and adds a few more context options: New in OpenSSL -------------- * Updated included OpenSSL libraries from OpenSSL 1.0.1i to 1.0.1j. See https://www.openssl.org/news/secadv_20141015.txt for a complete list of changes. The following fixes are relevant for pyOpenSSL applications: - CVE-2014-3567: Memory leak in OpenSSL session ticket management. - OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade, e.g. to enable a POODLE (CVE-2014-3566) attack by forcing a downgrade to SSLv3. This is enabled automatically for servers. - CVE-2014-3568: OpenSSL configured with "no-ssl3" would still allow a complete SSL 3.0 handshake to run. New in pyOpenSSL ---------------- * Dropped zlib support from OpenSSL builds to more easily prevent the CRIME attack without having to use special SSL context options. * Disabled the SSLv2 support in OpenSSL builds. SSLv2 has long been broken and this simplifies writing secure servers/clients. * Updated the included CA root certificate bundles to Mozilla's 2014-08-26 update. * Improved cipher list in https_client.py example which prefers the newer AES128-GCM and elliptic curve DH over over ciphers. * Added new context flag MODE_SEND_FALLBACK_SCSV. Documented previously undocumented MODE_RELEASE_BUFFERS and removed non-existing MODE_NO_COMPRESSION from the documentation. * Added web installer package to the Python Package Index (PyPI) which simplifies installation. * In addition to the usual ways of installing eGenix pyOpenSSL, we have uploaded a web installer to PyPI, so that it is now also possible to use one of these installation methods on all supported platforms (Windows, Linux, Mac OS X): - easy_install egenix-pyopenssl via PyPI - pip install egenix-pyopenssl via PyPI - egg reference in zc.buildout via PyPI - running "python setup.py install" in the unzipped web installer archive directory The web installer will automatically detect the platform and choose the right binary download package for you. All downloads are verified before installation. * Resolved a problem with a pyOpenSSL test for certificate extensions: OpenSSL 1.0.1i+ wants a signature algorithm to be defined when loading PEM certificates. * Moved eGenix additions to pyOpenSSL to a new extras/ dir in the source distribution. * In previous releases, we also added the OpenSSL version number to the package version. Since this causes very long version numbers, we have dropped the OpenSSL version starting with 0.13.5 and will only increase the main version number from now on. In the future, we plan to switch to a new version scheme that is compatible with our normal version number scheme for products. pyOpenSSL / OpenSSL Binaries Included ------------------------------------- In addition to providing sources, we make binaries available that include both pyOpenSSL and the necessary OpenSSL libraries for all supported platforms: Windows x86 and x64, Linux x86 and x64, Mac OS X PPC, x86 and x64. We've also added egg-file distribution versions of our eGenix.com pyOpenSSL Distribution for Windows, Linux and Mac OS X to the available download options. These make setups using e.g. zc.buildout and other egg-file based installers a lot easier. ________________________________________________________________________ DOWNLOADS The download archives and instructions for installing the package can be found at: http://www.egenix.com/products/python/pyOpenSSL/ ________________________________________________________________________ UPGRADING Before installing this version of pyOpenSSL, please make sure that you uninstall any previously installed pyOpenSSL version. Otherwise, you could end up not using the included OpenSSL libs. _______________________________________________________________________ SUPPORT Commercial support for these packages is available from eGenix.com. Please see http://www.egenix.com/services/support/ for details about our support offerings. ________________________________________________________________________ MORE INFORMATION For more information about the eGenix pyOpenSSL Distribution, licensing and download instructions, please visit our web-site or write to sales at egenix.com. Enjoy, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Oct 24 2014) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/